On 6 October 2014 12:26, Stefan Bodewig <bode...@apache.org> wrote: > On 2014-10-06, sebb wrote: > >> On 6 October 2014 08:16, Stefan Bodewig <bode...@apache.org> wrote: > >>>> Just a note on the GPG key, it might be a good idea to upgrade to a >>>> stronger one. 1024 bits keys are discouraged nowadays. > >>>> http://www.apache.org/dev/release-signing > >>> I know, but leaving behind a key that has accumulated signatures over >>> more than ten years is hard ... > >> I assume that the people who signed your key trust that it is still yours. > >> If you use it to sign your new key, is that not sufficient? > > Right, at least in a way. > > If I created a new key and signed it with the old one the WOT would > still be there in a transitive way. But a direct signature conveys more > trust (in a GnuPG sense of trust) than a transitive one along the graph. > > Creating a new key is somewhere down my todo list but I shy away from > the hassle of asking all people who signed the old key to also sign the > new one so the new one won't be worth less.
What I meant was: the people who signed your current key might be prepared to sign your new key without needing to meet in person and exchange details. So the effort would be much less than for the first signing. > Stefan > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org